restrict stylesheet access to site directory only

brucemiller · Aug 31, 2022 · 2b54ca2 · 2b54ca2
1 parent 9e78816
commit 2b54ca2
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/lib/LaTeXML/Common/XML/XSLT.pm b/lib/LaTeXML/Common/XML/XSLT.pm
@@ -31,5 +31,9 @@ sub transform {
   my ($self, $document, %params) = @_;
   return $$self{stylesheet}->transform($document, %params); }
 
+sub security_callbacks {
+  my ($self, $security) = @_;
+  return $$self{stylesheet}->security_callbacks($security); }
+
 #======================================================================
 1;
diff --git a/lib/LaTeXML/Post/XSLT.pm b/lib/LaTeXML/Post/XSLT.pm
@@ -79,9 +79,28 @@ sub process {
 
   # move to the site directory when applying the stylesheet,
   # since it can create additional files with <exsl:document>
+  my $sitedir  = $doc->getSiteDirectory;
   my $orig_cwd = pathname_cwd();
-  pathname_chdir($doc->getSiteDirectory);
+  pathname_chdir($sitedir);
+
+  # ensure that the stylesheet can only read and write in the site directory
+  # and cannot access the network
+  my $cb = sub {
+    my $dest = pathname_canonical(pathname_absolute($_[1], $sitedir));
+    if (!pathname_is_contained($dest, $sitedir)) {
+      Error('unexpected', 'stylesheet', $doc, "'$dest' is outside of the site directory, denying access");
+      return 0; }
+    else { return 1; } };
+  my $security = XML::LibXSLT::Security->new;
+  $security->register_callback(read_file  => $cb);
+  $security->register_callback(write_file => $cb);
+  $security->register_callback(create_dir => $cb);
+  $security->register_callback(read_net   => sub { return 0; });
+  $security->register_callback(write_net  => sub { return 0; });
+  $$self{stylesheet}->security_callbacks($security);
+
   my $newdoc = $doc->new($$self{stylesheet}->transform($doc->getDocument, %params));
+
   pathname_chdir($orig_cwd);
 
   return $newdoc; }